ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86)
Full text PdfPdf (484 KB)
Source
Conference on Computer and Communications Security archive
Proceedings of the 14th ACM conference on Computer and communications security table of contents
Alexandria, Virginia, USA
SESSION: Software security table of contents
Pages: 552 - 561  
Year of Publication: 2007
ISBN:978-1-59593-703-2
Author
Hovav Shacham  University of California, San Diego, La Jolla, CA
Sponsors
ACM: Association for Computing Machinery
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 52,   Downloads (12 Months): 399,   Citation Count: 6
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1315245.1315313
What is a DOI?

ABSTRACT

We present new techniques that allow a return-into-libc attack to be mounted on x86 executables that calls no functions at all. Our attack combines a large number of short instruction sequences to build gadgets that allow arbitrary computation. We show how to discover such instruction sequences by means of static analysis. We make use, in an essential way, of the properties of the x86 instruction set.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Aleph One. Smashing the stack for fun and profit. Phrack Magazine, 49(14), Nov. 1996. http://www.phrack.org/archives/49/P49-14.
 
2
Anonymous. Once upon a free(). Phrack Magazine, 57(9), Aug. 2001. http://www.phrack.org/archives/57/p57-0x09.
3
Elena Gabriela Barrantes , David H. Ackley , Stephanie Forrest , Darko Stefanović, Randomized instruction set emulation, ACM Transactions on Information and System Security (TISSEC), v.8 n.1, p.3-40, February 2005  [doi>10.1145/1053283.1053286]
 
4
blexim. Basic integer overflows. Phrack Magazine, 60(10), Dec. 2002. http://www.phrack.org/archives/60/p60-0x0a.txt.
 
5
J. R. Crandall, S. F. Wu, and F. T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In K. Julisch and C. Krügel, editors, Detection of Intrusions and Malware, and Vulnerability Assessment, Second International Conference, DIMVA 2005, volume 3548 of LNCS, pages 32--50. Springer-Verlag, July 2005.
 
6
dark spyrit. Win32 buffer overflows (location, exploitation and prevention). Phrack Magazine, 55(15), Sept. 1999. http://www.phrack.org/archives/55/P55-15.
 
7
M. Garg. About ELF auxiliary vectors, Aug. 2006. Online: manugarg.googlepages.com/aboutelfauxiliaryvectors.
 
8
M. Garg. Sysenter based system call mechanism in Linux 2.6, July 2006. Online: manugarg.googlepages.com/systemcallinlinux2_6.html.
 
9
Gera. Insecure programming by example, 2002. Online: community.corest.com/~gera/InsecureProgramming/.
 
10
gera and riq. Advances in format string exploiting. Phrack Magazine, 59(7), July 2001. http://www.phrack.org/archives/59/p59-0x07.txt.
 
11
O. Horovitz. Big loop integer protection. Phrack Magazine, 60(9), Dec. 2002. http://www.phrack.org/archives/60/p60-0x09.txt.
 
12
Intel Corporation. IA-32 Intel Architecture Software Developer's Manual, Volume 2: Instruction Set Reference, 2001.
 
13
M. Kaempf. Vudo malloc tricks. Phrack Magazine, 57(8), Aug. 2001. http://www.phrack.org/archives/57/p57-0x08.
 
14
klog. The frame pointer overwrite. Phrack Magazine, 55(8), Sept. 1999. http://www.phrack.org/archives/55/P55-08.
 
15
S. Krahmer. x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique, Sept. 2005. Online: http://www.suse.de/~krahmer/no-nx.pdf.
 
16
Christopher Kruegel , Engin Kirda , Darren Mutz , William Robertson , Giovanni Vigna, Automating mimicry attacks using static binary analysis, Proceedings of the 14th conference on USENIX Security Symposium, p.11-11, July 31-August 05, 2005, Baltimore, MD
 
17
D. Litchfield. Defeating the stack based buffer overflow prevention mechanism of Microsoft Windows 2003 Server, Sept. 2003. Online: http://www.ngssoftware.com/papers/defeating-w2k3-stack-protection.pdf.
 
18
mammon_. The Bastard project: libdisasm. http://bastard.sourceforge.net/libdisasm.html.
 
19
Stephen McCamant , Greg Morrisett, Evaluating SFI for a CISC architecture, Proceedings of the 15th conference on USENIX Security Symposium, p.15-15, July 31-August 04, 2006, Vancouver, B.C., Canada
 
20
J. McDonald. Defeating Solaris/SPARC non-executable stack protection. Bugtraq, Mar. 1999.
 
21
Nergal. The advanced return-into-lib(c) exploits (PaX case study). Phrack Magazine, 58(4), Dec. 2001. http://www.phrack.org/archives/58/p58-0x04.
 
22
PaX Team. PaX non-executable pages design & implementation. pax.grsecurity.net/docs/noexec.txt.
 
23
M. Riepe. GNU Libelf. http://www.mr511.de/software/.
 
24
rix. Writing ia32 alphanumeric shellcodes). Phrack Magazine, 57(15), Dec. 2001. http://www.phrack.org/archives/57/p57-0x18.
 
25
Scut/team teso. Exploiting format string vulnerabilities. http://www.team-teso.net, 2001.
 
26
H. Shacham. The geometry of innocent flesh on the bone, Oct. 2007. Online: http://hovav.net/dist/geometry.pdf.
27
Hovav Shacham , Matthew Page , Ben Pfaff , Eu-Jin Goh , Nagendra Modadugu , Dan Boneh, On the effectiveness of address-space randomization, Proceedings of the 11th ACM conference on Computer and communications security, October 25-29, 2004, Washington DC, USA  [doi>10.1145/1030083.1030124]
 
28
Solar Designer. "return-to-libc" attack. Bugtraq, Aug. 1997.
 
29
Solar Designer. JPEG COM marker processing vulnerability in Netscape browsers, July 2000. Online: www.openwall.com/advisories/OW-002-netscape-jpeg/.
 
30
Ana Nora Sovarel , David Evans , Nathanael Paul, Where's the FEEB? the effectiveness of instruction set randomization, Proceedings of the 14th conference on USENIX Security Symposium, p.10-10, July 31-August 05, 2005, Baltimore, MD
 
31
The Metasploit Project. Shellcode archive. Online: http://www.metasploit.com/shellcode.html.
 
32
The Santa Cruz Operation. System V Application Binary Interface: Intel386 Architecture Processor Supplement, fourth edition, 1996.
 
33
D. Wheeler. Secure Programming for Linux and Unix HOWTO. Linux Documentation Project, 2003. Online: http://www.dwheeler.com/secure-programs/.
 
34
M. Zalewski. Remote vulnerability in SSH daemon CRC32 compression attack detector, Feb. 2001. Online: http://www.bindview.com/Support/RAZOR/Advisories/2001/adv_ssh1crc.cfm.

CITED BY  6
Arvind Seshadri , Mark Luk , Ning Qu , Adrian Perrig, SecVisor: a tiny hypervisor to provide lifetime kernel code integrity for commodity OSes, ACM SIGOPS Operating Systems Review, v.41 n.6, December 2007
Michael Dalton , Hari Kannan , Christos Kozyrakis, Real-world buffer overflow protection for userspace & kernelspace, Proceedings of the 17th conference on Security symposium, p.395-410, July 28-August 01, 2008, San Jose, CA
Lionel Litty , H. Andrés Lagar-Cavilla , David Lie, Hypervisor support for identifying covertly executing binaries, Proceedings of the 17th conference on Security symposium, p.243-258, July 28-August 01, 2008, San Jose, CA
Aurélien Francillon , Claude Castelluccia, Code injection attacks on harvard-architecture devices, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
Erik Buchanan , Ryan Roemer , Hovav Shacham , Stefan Savage, When good instructions go bad: generalizing return-oriented programming to RISC, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
Ryan Riley , Xuxian Jiang , Dongyan Xu, Multi-aspect profiling of kernel rootkit behavior, Proceedings of the fourth ACM european conference on Computer systems, April 01-03, 2009, Nuremberg, Germany

INDEX TERMS

Primary Classification:
  D. Software
  D.4 OPERATING SYSTEMS
      D.4.6 Security and Protection


General Terms:
Algorithms, Security


Keywords:
instruction set, return-into-libc, turing completeness

Collaborative Colleagues:
Hovav Shacham: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player